問題描述
當 Azure Web App 進行安全掃描後,發現依舊支援很多弱TLS加密套件(Weak TLS Ciphers Suite),那麼是否有辦法來關閉這些弱的加密套件呢?
在Windows IIS環境中,可以通過修改系統資料庫修改 For Microsoft IIS, you should make some changes to the system registry.
Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on your computer.
a. Click Start, click Run, type regedt32 or type regedit, and then click OK.
b. In Registry Editor, locate the following registry key: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
c. Set "Enabled" DWORD to "0x0" for the following registry keys:
- SCHANNEL\Ciphers\DES 56/56
- SCHANNEL\Ciphers\RC4 64/128
- SCHANNEL\Ciphers\RC4 40/128
- SCHANNEL\Ciphers\RC2 56/128
- SCHANNEL\Ciphers\RC2 40/128
- SCHANNEL\Ciphers\NULL
- SCHANNEL\Hashes\MD5
那麼,在Azure Web App服務中,是否有辦法來修改 Weak TLS Ciphers 呢?
問題解答
目前,Web App 已經開始提供通過 API 來修改 minTlsCipherSuite 屬性,通過修改最低可接受的加密套件,來實作對弱加密套件的排除。 但是,目前隻有進階層(Premium) 支援。
具體的HTTP請求為:
PATCH https://management.chinacloudapi.cn/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}/config/web?api-version=2022-03-01 Request Body:
{
"properties": {
"minTlsCipherSuite": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
}
} 而其他的定價層,目前并不支援,如果是進階層之下的Web App,目前并不支援修改 minTlsCipherSuite 的值。如果這些定價層的Web App需要解決弱加密套件問題,可以在前端加一個應用服務網關(Application Gateway), 網關服務支援修改加密套件。 詳見:https://docs.azure.cn/zh-cn/application-gateway/application-gateway-ssl-policy-overview#custom-tls-policy
參考資料
Web Apps - Update Configuration : https://learn.microsoft.com/en-us/rest/api/appservice/web-apps/update-configuration
Disabling Weaker TLS Cipher Suites for Web Apps on Multi-tenant Premium App Service Plans : https://azure.github.io/AppService/2022/10/11/Public-preview-min-tls-cipher-suite.html#supported-cipher-suites
What are cipher suites and how do they work on App Service?
A cipher suite is a set of instructions that contains algorithms and protocols to help secure network connections between clients and servers. By default, the front-end’s OS would pick the most secure cipher suite that is supported by both the front-end and the client. However, if the client only supports weak cipher suites, then the front-end’s OS would end up picking a weak cipher suite that is supported by them both.
If a customer’s organization has restrictions on what cipher suites are not be allowed, they may update their web app’s minimum TLS cipher suite property to ensure that the weaker cipher suites would be disabled for their web app. The next part of the article will go through the new minimum TLS cipher suite feature that is currently in public preview.
Minimum TLS Cipher Suite Feature
The minimum TLS cipher suite feature comes with a pre-determined list of cipher suites that cannot be reordered nor reprioritized. Since the service is already using the ideal priority order, it is not recommended for customers to reprioritize the the cipher suite order. Customers can potentially leave their web apps exposed if weaker cipher suites are prioritized over the stronger ones. Customers also cannot add newer or different cipher suites to the list of supported cipher suites. When a minimum cipher suite is selected, all the cipher suites that are less secure than the selected minimum one would be disabled for the web app. There is no support to make exceptions and to disable only some of the cipher suites that are weaker than the selected minimum cipher suite.